Establishing a New Internet Security Protocol

NSF-funded project devises stronger transmission control for the Internet

6/10/2013

Cyber-attacks, cyber-espionage and cyber-crime represent some of the greatest modern threats to nations and organizations around the world. In response, security experts in government and the private sector have suggested re-architecting the protocols that underpin the Internet in order to build accountability that thwarts cyber-attacks. As a member of a multi-institutional team funded by the National Science Foundation (NSF) Future Internet Architecture (FIA) program, Dr. Antonio Nicolosi, expert cryptographer and Assistant Professor of Computer Science at Stevens Institute of Technology, has spent two years re-engineering the Internet Protocal (IP) with researchers from the University of Pennsylvania, Cornell University, the Massachusetts Institute of Technology, Princeton University, Purdue University, Stanford University, the University of California, Berkeley, the University of Delaware, the University of Illinois at Urbana-Champaign, the University of Texas, Austin, and the University of Washington.

"Corporations spend billions of dollars annually to prevent cyber-attacks, and estimates for the direct and indirect costs of cybercrime range in the hundreds of billions of dollars,” says Dr. Michael Bruno, Dean of the Charles V. Schaefer, Jr. School of Engineering and Science at Stevens. "This pioneering, multi-institutional collaboration establishes a new security paradigm that has the potential to alleviate the financial costs of cyber-crime.”

Dr. Nicolosi and colleagues have examined the way that interconnection information propagates online and believe they can fundamentally alter data transmissions to create promising advances in security while retaining a reasonable level of privacy. The team has developed prototypical code that has the potential to build accountability into the infrastructure of the Internet by enabling users to know the source and path of data and refuse anything that doesn’t meet their routing policies. This potentially creates a new level of authentication and a higher standard of security for individuals and enterprises on the Internet.

The FIA team recognized that there has been considerable research into methods of expressing a routing policy for data, but not on the ability to enforce that policy. In order to meet this need, they have designed a system in which a user can be certain that a data packet followed an approved path. As a cryptographer and network security specialist for the team, Dr. Nicolosi has worked closely with David Mazières of Stanford University, Michael Miller and Michael Walfish of the University of Texas Austin, and Jad Naous of the Massachussets Institute of Technology on an alternative to IP Protocol called ICING. He says, “Currently when a machine sends data, there is no guarantee that it will take an agreed path. ICING allows for considerations that go beyond taking the shortest path like avoidance of a certain network region.” Corporate enterprises could ensure that all traffic is routed through a gateway machine dedicated to blocking viruses and other malicious data packets thus focusing the process for maintenance and updates on one machine.

Dr. Nicolosi and colleagues are also investigating whether the technology can serve as a line of defense against denial-of-service attacks (DDoS). These attacks generally work by saturating the target machine with requests until it fails to respond to legitimate traffic. Nodes on the Internet are currently “default-on,” meaning that users generally accept any request. ICING, on the other hand, is “default-off” except for a bootstrapping level that accepts data to grant permission for external requests. The team is exploring whether this structure can provide robust protection against DDoS.

"Dr. Nicolosi’s role in this critical research is indicative of the level of his expertise in cryptography and information assurance," says Dr. Dan Duchamp, Department Director for Computer Science at Stevens. “This project represents a tremendous advance toward a safer Internet for individuals, businesses, network operators and governments.”

An early presentation of the research at ACM CoNEXT raised a question about the implications of the project on privacy and anonymity. Knowledge of the path a packet took to reach a destination also points to the identity of the sender. According to Dr. Nicolosi, “We are trying to strike a very fine balance with regards to privacy concerns. While we are shifting the default from relative anonymity to accountability, users still have the option to employ software that maintains anonymity.”

The Department of Computer Science at Stevens Institute of Technology is committed to being a world leader both in education and research. The major research interests of the faculty in the department are computer security, computer vision, visualization, and graphics, programming languages, theoretical computer science, networks and networking, and computational biology. Faculty routinely consult and collaborate with major global companies, top industry laboratories, and peer academic departments. In the area of computer security, Stevens is a National Center of Academic Excellence in Information Assurance Education for the academic years 2003 through 2014, and a National Center of Academic Excellence in Information Assurance Research for the years 2008 through 2013. Graduates from the program are highly valued professionals noted for their strong technical background, high degree of creativity, and knowledge of IT business issues.